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PROTECTED DISTRIBUTION PROTOCOL 
FOR KEYING AND CERTIFICATE MATERIAL 

BACKGROUND OF THE INVENTION 

1. Field of the Invention 

This invention relates in general to computer security 
systems, and, more particularly, to a computer security 
system and a method for the protected distribution of 
certificate and keying material between a certification 
authority and an entity in the certification authority's 
domain. 

2 • Description of the Related Art 

In existing methods for distribution of certificate 
and keying material, the administrator must manually 
distribute the information to each end system (entity) and 
user. Administrators in the past were required to visit 
each system or user on the system more than once to 
initialize the information required to support the network 
security mechanism. 

The certificate or keying material is used later to 
authenticate and to protect the communications between 
distributed entities. If these materials are compromised 
in the initial distribution, then the confidentiality and 
authentication services cannot be assured during further 
operation. 

This manual distribution system is further fraught 
with difficulties in maintaining security in the physical 
transportation of the keying materials between the 
Certification Authority and the various entities, and with 
the consequent time lag mandated by the actual wait times 
involved in moving from one entity to the other. All 
during this setup time, the various entities are denied 
access to the protected data for which they may have an 
immediate need . 

The present invention meets and overcomes this problem 
of maintaining security during the transfer of the keying 
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materials between entities and shortens the time during 
which access is denied an otherwise authorized entity to a 
minimum. 

The present invention reduces the required visits 
needed to install the necessary security access software to 
a single visit by using a password (shared secret) to 
generate the essential keying material to be used for both 
integrity and encryption services to protect the data 
necessary for authentication and network security protocol 
protection. 

OBJECTS AND SUMMARY OF THE INVENTION 

Therefore, it is an object of the present invention to 
provide a computer security network system and a method for 
the protected distribution of certificate and keying 
material between a certification authority and an entity in 
the certification authority's domain. 

It is still another object of the present invention to 
provide a method and system that quickly provides 
authorized users control of their data. 

It is another object of the present invention to 
provide a method and system that facilitates, rather than 
prevents, the establishment of encoded public and private 
key data or documents classified at different security 
levels. 

The present invention provides a computer system and 
a method for the protected distribution of certificate and 
keying material between a certification authority and an 
entity in the certification authority's domain by 
establishing a shared secret and using it to protect the 
data transferred between the entity and the certifying 
authority. 

The novel features of construction and operation of 
the invention will be more clearly apparent during the 
course of the following description, reference being had to 
the accompanying drawings wherein has been illustrated a 
preferred form of the device of the invention and wherein 
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like characters of reference designate like parts 
throughout the drawings* 

BRIEF DESCRIPTION OF THE FIGURES 

FIGURE 1 is a block diagram flowchart showing the 
general overall logic flow through a system incorporating 
the present invention. 

DESCRIPTION OF THE PREFERRED EMBODIMENT 

A preferred form of the invention as embodied in a 
method and computing system for providing for the protected 
distribution of certificate and keying material between a 
certification authority and an entity in the certification 
authority's domain by establishing a shared secret and 
using it to protect the data transferred between the entity 
and the certifying authority. 

In general, as shown in FIGURE 1, the invention is 
found in a computer system operating over a network in 
accord with the following steps outlined below in detail to 
provide for the protected distribution of certificate and 
keying material between a certification authority and at 
least one entity in the certification authority's domain. 

The certifying authority begins by generating and 
sending keying material, including a password, to the 
subject entity via a first secure communications medium. 
In this instance, the most secure communications medium is 
a non-electronic medium, such as a manual courier, secure 
mail or other secure communications medium that is distinct 
from the computer system over which the keying material is 
to be used as described later in authenticating the entity 
to the certifying authority. 

Once the entity receives the keying material from the 
certifying authority, it then generates a public and a 
private key pair and protects the public key using the 
keying material provided it by the certifying authority. 

The entity now generates and protects a request for a 
certificate to the certifying authority by using the keying 
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1 material provided it by the certifying authority. Once 

2 generated and protected, the request is sent to the 

3 certifying authority via a second secure communications 

4 medium connecting the certifying authority with the 

5 entities in its certifying domain ♦ 

6 Once the certifying authority receives the request 

7 from the entity, the certifying authority authenticates the 

8 identity of the requesting entity. This is done by 

9 requesting, via the second secure communications medium, 

10 that the public key and address of the entity be sent to 

11 the certifying authority. 

12 The requesting entity, having received the 

13 authentication request from the certifying authority, 

14 protects the transmission of its selected public key and 

15 address to the certifying authority via the second secure 

16 communications medium, by using the keying material 

17 provided by the certifying authority. 

18 Once the identity of the requesting entity is 

19 confirmed, the certifying authority then assembles and 
2 0 issues the requested certificate to the entity via the 

21 second secure communications medium, and records the public 

22 key of the entity at the certifying authority for public 

23 use by other entities within the certifying domain of the 

24 certifying authority. 

25 The invention described above is, of course, 
2 6 susceptible to many variations, modifications and changes, 

27 all of which are within the skill of the art. It should be 

28 understood that all such variations, modifications and 

2 9 changes are within the spirit and scope of the invention 

3 0 and of the appended claims. Similarly, it will be 

31 understood that Applicant intends to cover and claim all 

32 changes, modifications and variations of the example of the 

33 preferred embodiment of the invention herein disclosed for 

34 the purpose of illustration which do not constitute 
3 5 departures from the spirit and scope of the* present 
3 6 invention. 
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WHAT IS CLAIMED IS: 

1 1. A method for the protected distribution of 

2 certificate and keying material between a certification 

3 authority and at least one entity in the certification 

4 authority's domain via a communications medium connecting 

5 the certification authority and entities in its domain, 

6 comprising the steps "of: 

7 sending keying material, including a password, 

8 generated by the certifying authority to the entity via a 

9 first secure communications medium; 

10 generating and protecting, by the entity, a public and 
a private key pair using the keying material provided the 

12 entity by the certifying authority; 

13 generating, protecting and sending via a second secure 

14 coinmunications medium a request for a certificate to the 

15 certifying authority using the keying material provided the 

16 entity by the certifying authority; 

17 requesting, by the certifying authority via the second 

18 secure communications medium, that the public key and 

19 address of the entity be sent to the certifying authority; 

20 protecting and sending the public key and address of 

21 the entity to the certifying authority via the second 

22 secure communications medium using the keying material 

23 provided it by the certifying authority; 

^4 assembling and issuing the certificate to the entity 

25 from the certifying authority via the second secure 

26 communications medium and recording the public key of the 

27 entity at the certifying authority for public use within 

28 the domain of the certifying authority. 

1 2 . The method of claim 1 wherein said step of sending 

2 keying material, including a password, generated by the 

3 certifying authority to the entity via a first secure 
\ 4 communications medium further includes the step of: 

5 selecting the first secure communications medium that is 

6 separate and independent from the second secure 

7 communications medium, 
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1 3 . The method of claim 1 wherein said step of sending 

2 keying material, including a password, generated by the 

3 certifying authority to the entity via a first secure 

4 communications medium further includes the step of: 

5 selecting a non-electronic transmission medium for the 

6 first secure communications medium. 
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